Bug 715720 (CVE-2020-6450, CVE-2020-6451, CVE-2020-6452)

Summary:	<www-client/{chromium,google-chrome}-80.0.3987.162: Multiple vulnerabilities (CVE-2020-{6450,6451,6452})
Product:	Gentoo Security	Reporter:	Stephan Hartmann <sultan>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	chromium, hjckr, hlein
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified	Flags:	nattka: sanity-check-
Hardware:	All
OS:	Linux
URL:	https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_31.html
See Also:	https://github.com/gentoo/gentoo/pull/15209
Whiteboard:	A3 [glsa+ cve]
Package list:	www-client/chromium-80.0.3987.162	Runtime testing required:	---

Description Stephan Hartmann gentoo-dev

2020-04-01 07:18:34 UTC

See ${URL}

Reproducible: Always

Comment 1 Sam James archtester

2020-04-01 17:13:47 UTC

Thanks for reporting a security bug.

(We populate the summary with a version once a fixed version is in Gentoo for GLSA purposes. If it's in Gentoo and I missed it somehow, let me know.)

---
@maintainer(s), please create an appropriate ebuild.

Comment 2 Larry the Git Cow gentoo-dev

2020-04-01 19:13:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30cc9ceeb006edbd292f56adc680a8937ce022d0

commit 30cc9ceeb006edbd292f56adc680a8937ce022d0
Author:     Stephan Hartmann <stha09@googlemail.com>
AuthorDate: 2020-04-01 17:21:14 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-04-01 19:13:35 +0000

    www-client/chromium: stable channel bump to 80.0.3987.162
    
    Bug: https://bugs.gentoo.org/715720
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Stephan Hartmann <stha09@googlemail.com>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/15201

 www-client/chromium/Manifest                      |   1 +
 www-client/chromium/chromium-80.0.3987.162.ebuild | 739 ++++++++++++++++++++++
 2 files changed, 740 insertions(+)

Comment 3 Agostino Sarubbo gentoo-dev

2020-04-02 16:53:07 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 4 Larry the Git Cow gentoo-dev

2020-04-02 17:52:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38f15cb17e29f052ac0a9db1ff953ba25a078d52

commit 38f15cb17e29f052ac0a9db1ff953ba25a078d52
Author:     Stephan Hartmann <stha09@googlemail.com>
AuthorDate: 2020-04-02 17:01:20 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-04-02 17:52:04 +0000

    www-client/chromium: security cleanup
    
    Bug: https://bugs.gentoo.org/715720
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Stephan Hartmann <stha09@googlemail.com>
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 www-client/chromium/Manifest                      |   1 -
 www-client/chromium/chromium-80.0.3987.149.ebuild | 739 ----------------------
 2 files changed, 740 deletions(-)

Comment 5 Sam James archtester

2020-04-02 19:05:26 UTC

Thanks.  Tree clean.

Comment 6 NATTkA bot gentoo-dev

2020-04-06 11:20:46 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 7 NATTkA bot gentoo-dev

2020-04-09 17:24:23 UTC

Unable to check for sanity:

> no match for package: www-client/chromium-80.0.3987.162

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2020-04-10 21:55:00 UTC

New GLSA request filed.

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2020-04-10 22:03:23 UTC

This issue was resolved and addressed in
 GLSA 202004-09 at https://security.gentoo.org/glsa/202004-09
by GLSA coordinator Thomas Deutschmann (whissi).